There are four types of PPP interfaces:

  • PPP for cellular and modem devices

  • PPPoE for DSL or similar connections

  • PPTP and L2TP for ISPs that require them for authentication

In most cases these are managed by the interface settings directly, but the settings are also available under Interfaces > Assignments on the PPPs tab.

See also

PPP (Point-to-Point Protocol) Interface Types

Add or edit a PPP entry as follows:

  • Navigate to Interfaces > Assignments on the PPPs tab

  • Click fa-pencil to edit an existing entry or fa-plus to add a new entry

  • Set the Link Type

The Link Type determines the remaining options on the page. The available link types are explained throughout the remainder of this document.

PPP (Cellular Modem)

The PPP link type is used for talking to a modem over a serial device. This can be anything from a USB modem dongle for accessing a cellular network down to an old hardware modem for dial-up access.


Some cellular modems appear as Ethernet devices and not serial devices. Those are configured as regular interfaces, not as PPP devices.

When configuring a PPP device, the following options are available:

Link Interface:

A list of serial devices that the firewall can use to communicate with a modem. Click on a specific entry to select it for use by the firewall.


The firewall does not automatically detect the serial device for a modem. Some modems present themselves as several devices and the subdevice for the PPP line may be any of the available choices. Start with the last device, then try the first, and then others in between if none of those function.


A text description of this PPP instance, for reference (e.g. VZW Modem).


The country in which this modem resides (e.g. United States).

The firewall populates the Provider list based on the value of this field.


The cellular service provider for this modem (e.g. Verizon).

The firewall populates the Plan list based on the value of this field.


The type of cellular service this modem uses from Provider.

This populates the remaining fields where possible with values specific to the Plan.

The remaining options can be configured manually if other values are needed, or when using an unlisted provider:

Username and Password:

The credentials used for the PPP login, if any.

Phone Number:

The number to dial at the ISP to gain access. For cellular providers this tends to be a number such as *99# or #777. For dial-up this is usually a traditional telephone phone number.

Access Point Name (APN):

Some ISPs require this value to identify the service to which the client connects. Some providers use this to distinguish between consumer and business plans or legacy networks.

APN Number:

Optional setting. Defaults to 1 if the APN is set, and ignored when APN is unset.


Security code on the SIM to prevent unauthorized use of the card.


Do not enter anything here if the SIM does not have a PIN.


Number of seconds the firewall will wait for the SIM to discover network after the PIN is sent to the SIM. If the delay is not long enough the SIM may not have time to initialize properly after unlocking.

Init String:

The modem initialization string, if necessary. Most modern modems do not require a custom initialization string.


Do not include AT at the beginning of the command.

Connection Timeout:

Time the firewall will wait for a connection attempt to succeed, in seconds. Default is 45 seconds.

Uptime Logging:

When checked, the firewall tracks the uptime for the connection and displays it on Status > Interfaces.

PPPoE (Point-to-Point Protocol over Ethernet)

PPPoE is a popular method of authenticating and gaining access to an ISP network, most commonly found on DSL networks, but may also be used on fiber or other link types.


Due to limitations in the way PPPoE frames are processed by network cards incoming PPPoE traffic is limited to a single network interface queue. As such, performance may be limited or otherwise lower than expected. See PPPoE with Multi-Queue NICs for details.

To configure a PPPoE link, start by setting Link Type to PPPoE and complete the remainder of the settings as follows:

Link Interface(s):

A list of network interfaces the firewall can use for PPPoE. These are typically physical interfaces but PPPoE can also work over some other interface types such as VLANs. Select one entry for normal PPPoE or multiple entries for MLPPP.


An optional text description of the PPP entry.

Username and Password:

The credentials for this PPPoE connection. The credentials will be provided by the ISP and the username is typically in the form of an e-mail address, such as mycompany@ispexample.com.

Service Name:

Left blank for most ISPs but some ISPs require this to be set to a specific value.

Contact the ISP to confirm the value if the connection does not function when left blank.

Configure NULL Service Name:

Some ISPs require clients to send a NULL value instead of a blank service name. Check this option when the ISP requires this behavior.

Periodic Reset:

Configures a pre-set time when the firewall will drop the connection and reconnect. This is rarely needed, but in certain cases it can better handle reconnections when an ISP has forced daily reconnections or similar quirky behavior.

PPTP (Point-to-Point Tunneling Protocol)

Not to be confused with a PPTP VPN, this type of PPTP interface is meant to connect to an ISP and authenticate, much the same as PPPoE. The options for a PPTP WAN are identical to the PPPoE options of the same name. Refer to the previous section for configuration information.

L2TP (Layer 2 Tunneling Protocol)

L2TP, as it is configured here, is used for connecting to an ISP that requires it for authentication as a type of WAN. L2TP works nearly identically to PPTP. Refer to the previous sections for configuration information.

L2TP has one additional option not found on other types:

Shared Secret:

A shared secret the firewall will use to authenticate the tunnel connection and encrypt control L2TP control packets. May be left blank if the server does not support a shared secret.


This must match the shared secret set on the L2TP server.

Advanced PPP Options

All PPP types have several advanced options in common. In most cases these settings can remain at their default values.

Click fa-cog Display Advanced to display these options.

Dial On Demand:

The default behavior for a PPP link is to immediately connect and immediately attempt to reconnect when a link is lost. This behavior is described as Always On. Dial-on-Demand delays this connection attempt. When set, the firewall waits until a packet attempts to leave the via this interface to make a connection attempt. Once the firewall connects it will not automatically disconnect.

Idle Timeout:

The firewall will hold a PPP connection open indefinitely by default. A value in Idle Timeout, specified in seconds, will cause the firewall to monitor the line for activity. If there is no traffic on the link for the given amount of time, the firewall will disconnect the link. If Dial-on-Demand has also been set, the firewall will return to dial-on-demand mode.


The firewall performs gateway monitoring by default which generates two ICMP pings per second on the interface. Idle Timeout will not function in this case. This can be worked around by editing the gateway for this PPP link and checking Disable Gateway Monitoring.

Compression (vjcomp):

This option controls whether or not the firewall will use Van Jacobson TCP header compression for this connection. By default the firewall will negotiate this with the peer during login and enable it if both sides support the feature. Checking Disable vjcomp will disable support for this feature. This feature is beneficial because it saves several bytes per TCP data packet when possible. The best practice is to keep the option enabled unless the remote requires it to be disabled.


This compression is ineffective for TCP connections with enabled modern extensions like time stamping or SACK, which modify TCP options between sequential packets.


This option causes the PPP daemon to adjust incoming and outgoing TCP SYN segments so that the requested maximum segment size (MSS) is not greater than the amount allowed by the interface MTU.

This is necessary in most cases to avoid problems caused by routers which drop ICMP “Datagram Too Big” messages. Without these messages, peers cannot detect a when packets attempt to cross a link which cannot carry frames of the required size. Consider this scenario. The originating machine sends data which passes a rogue router then arrives at a host that has an MTU that is not big enough for the data. Because the IP “Don’t Fragment” option is set, this machine sends an ICMP “Datagram Too Big” message back to the originator and drops the packet. The rogue router drops the ICMP message and the originator never gets to discover that it must reduce the fragment size or drop the IP “Don’t Fragment” option from its outgoing data. If this behavior is undesirable, check Disable tcpmssfix.


The MTU and MSS values for the interface may also be adjusted on the configuration page for the interface under the Interfaces menu, such as Interfaces > WAN (Interface Configuration).

Short Sequence (ShortSeq):

This option is only meaningful when the firewall is negotiating MLPPP with the provider. It proscribes shorter multi-link fragment headers, saving two bytes on every frame. It is not necessary to disable this for connections that are not multi-link. If MLPPP is active and this feature must be disabled, check Disable shortseq.

Address Control Field Compression (ACFComp):

This option only applies to asynchronous link types. It saves two bytes per frame. To disable this, check Disable ACF Compression.

Protocol Field Compression (ProtoComp):

This option saves one byte per frame for most frames. To disable this, check Disable Protocol Compression.

PPPoE has two additional advanced options:

Multilink over single link:

When set, the firewall will use LCP multi-link extensions over a single link. This ignores the MTU/MRU settings. Only enable if supported by the ISP.

Force MTU:

When set, overrides the MTU negotiated with the ISP with a higher value known to work on the link.


This option violates RFC 1661 and can break connectivity. While it may result in faster speed as larger packets can be transferred, there is no guarantee that it will function in the future if the provider makes changes.